No, security by obscurity is a step in no direction at all.
By way of example, I’m going to tell you the exact method I used to generate my online banking password. Not just a method like the one I used; the exact method.
First, I put the 26 letters and 10 digits, in order, in a 6x6 grid. Then, I rolled two dice to select a character from that grid. Then I flipped a coin to determine whether or not I would press “shift” when I entered that character. That gave me the first character of my password. Then I repeated that process to the maximum number of characters allowed.
You now know the exact method I used to generate that password, and it’s still completely secure. Keeping my method obscure wouldn’t increase my security at all.
Now, granted, that one was a lot of work, because a bank account is kind of the textbook example of a high-value account. I don’t usually put in that much effort, and so most of my passwords are somewhat less secure than that. But it’s a good illustration of the principle.
Remember that password generating rules (e.g. no dictionary words, mixed case, include numbers and special characters) aren’t “here are some good rules that you can use if you really want to make your password super-super secure”.
They are “here are some good rules to enforce on Gary from accounting, who if left to his own devices would make every password ‘password’ because IT security is ‘not his problem’, so that his grotesque incompetence and apathy doesn’t result in as big a risk to the entire organization as it might otherwise”.
The problem with these password rules is that they are driven by the worst of us, not the best of us.
The XKCD method works really well if you only need to memorize one or two passwords.
But because of the possibility of phishing, Trojans, Ransomeware, malware, etc you should NEVER use the same password on multiple sites, especially sites that store personal information.
I have:
Amazon
Netflix
Bank
Paypal
Venmo
HBOMax
Cell phone
Hotmail
Gmail
Credit card
Credit card
… And about 50 online merchant accounts like bed bath and beyond, direct tools outlet, home depot, etc.
There is no conceivable way to use your brain as storage and keep yourself safe from the stupidest person at any of those companies, but if you use different, random passwords and a password manager you are much safer.
So use correct horse battery staple on your computer login and “obvious insect window journey” for your password manager, and let it handle everything else. And use MFA whenever it’s offered.
Security by obscurity is a single step on the journey to nirvana. However, your point is equally valid, that should you lose that piece, you better have a lot more ammunition in your arsenal. Knowing whether the password contains intact words, for example, is just one possible clue to find a password.
What if instead of using the first letter of each word of a phrase, I use the second letter?
The third?
Skip every other letter?
Double every letter? Fist one of the pair upper case?
Use Latin? French (common in Canada)? Spanish, Italian, Portuguese?
Each possible option only makes the search longer. Making a search take 9 months instead of 3 significantly impacts the vulnerability if the passwords expire every 6 months (or in a place I worked - 3 months). If it makes the rainbow table infeasibly large, even better.
The problem I have with xkcd’s method is that almost no login system these days will allow it. There are a large number of permutations of rules for different secure sites such that it’s really hard to find a common scheme that works with all of them.
For example, some sites require either the first or last letter to be capitalized. Some require a capitalized letter than cannot be either the first or last. Some have dofferent minimum and maximum character lengths. Some require at least one number. Some require two or more numbers. Some require a number somewhere in the middle of the password but not at the end. My bank requires at least one punctuation symbol as well. One web site I use has a minimum of 8 and a maximum of 13 characters. It’s nuts.
There are algorithmic techniques you can use to come up with unique passwords for each site you visit. You can use the domain name as your sort-of public key for your private password. For example, You might have an algorithm that uses the first four letters of the domain name to generate four words through some unique technique you come up with.
As a random example I’m just thinking up right now, you could take the length of the do,ain name, and subtract that number from the number of the first letter in the domain name, then do some kind of word lookup based on that, rolling over if you get back to A.
SDMB.com then would generate four words starting with S-4, D-4, M-4, B-4, so PZJX. Have another technique for which word for each letter you use. For example, you could use the domain name length plus the position of the letter. So I would use a random obscure book for my ‘key’, then pick the fourth S word, in a certain chapter, the fifth D , sixth M, etc. Or choose some other method.
Now you can recreate your password if you forget it, but to anyone else it’s just four random words. Of course, if you use the exact technique in multiple databases and someone REALLY wanted your password, they might be able to figure out what the technique is given enough samples. To thwart that, come up,with a PIN and add it to the middle of the string. Or have a four digit pin and insert the numbers between every word.
So if I had a PIN of 7743, say, my password for the SDMB might be Panel7Zebra7Jam4Xray3. That would satisfy most password rule requirements, could,be reconstructed algorithmically as long as you keep the book for reference, but is still pretty secure.
Basic Microsoft Server rules were 8 characters, including at least one upper, lower, digit, and punctuation. The security consultants recommended a minimum of 15, but for some reason the version of Windows server (2012) did not accept that.(14 or less only). They settled on 10.
So some simple extra efforts were recommended to slow hackers - such as “do not allow enumeration of users”. Originally you could send a request to the server for user1, then 2, etc. and get back usernames. Create an alternate admin and disable “administrator” - this was the one userid that did not lock on too many bad passwords. 2-factor authentication, require VPN for remote connect, etc. Do not make “all users” or “everyone” the administrator on local PC’s. (if possible, don’t let users be admin on their PC’s. this turned out to be impractical for users who need to install software or print drivers…) It’s a constant trade-off between security and functionality.
Yes, sort of like - hiding your valuables in your house may slow down thieves and make their attempts at burglaries more difficult, but it’s not the only strategy to rely on - still have an alarm, lock your doors, and then also put your valuables in a less obvious place than a jewelry box on the dresser - or at least the really expensive ones. But telling everyone where you hid the family jewels is not a good strategy just because you think the lock is secure.
I always marvel at those Hollywood movies where the break-in team have the complete dope on the alarm system, floor plan, guard schedules, or whatever. Keeping some details of your setup private would have a few advantages.
As it happens hackers use Rainbow Tables which are basically databases of hashed passwords. If your password is “1234” then it is on that list and they can find it (which is why a salted-hash helps but “1234” would still be bad).
The XKCD cartoon is telling you that “YonUb38&4#lbf” is not a better passwords than “TheSDMBisthebestforum!123”
You’ll never remember the first password (well, you could but it is a pain) while the second one is easily memorable to you and is super unlikely to be on any Rainbow Tables. If they want to brute force it they will have a tough time of it. The first one is not objectively better as a password.
So, for the average person, just make a passphrase that you will remember easily. Have a dog named “Fluffy” then a password “Fullfyisthegoodestboy!” or “Fluffyisalittleshit” will be a great password. You’ll remember it and it almost certainly is not in any database and a brute force attack would take a long time.
One good way is to use sports score notation of famous games that one will remember.
Like PAK249/6ENG227MCG92 based on this game, which will according to the How Secure site will take 9 hundred trillion year to fgigure out.
But from what @Francis_Vaughan and others have been saying the issue isn’t brute force, its that attackers figure out such tricks after while?
The issue is that if you do not use a random password (roll dice…), then your password is not random, and therefore easier to guess than a random password.
This may not be so bad if the attacker has no way to apply brute force to try out potential passwords.
The thing is…most attacks will never be able to guess your password. They brute force it or hack password databases.
Yes, there are some cases where passwords have been guessed (I saw it happen once when an executive’s secretary guessed his password) but, mostly, a guess means brute force.
Yeah and I have guessed my parents passwords. That’s is predicated on knowing the person and their proclivities. For all we know the Secretary knew he often used some variation of his wife and daughters names, it greatly reduces the amount of guesswork she needs to do.
I would think a computer would be much more sophisticated and have a lot more ability to access commonly used phrases and notations and their sources and do a much larger variation of the Secretary’s “guess”.
So sports scores. Trivia. Famous phrases from pop culture. And possible variations.
In the early days of internet security there was a bit of an arms race between fancier passwords and more extensive rainbow tables. As a super-simplified example, when early sites insisted on PWs containing only upper- and lower-case letters, with no digits or punctuation allowed, and 8 characters max, they effectively limited the size of the corresponding rainbow table to something that was computationally feasible for the bad guys.
If, say, digits were then allowed, the hackers needed a bigger rainbow table. And if the (not very bright) hackers thought only of appending the digits on the end of the PW letters, their table would miss anyone who was “clever” enough to choose “pass1word” as their password. Pretty quickly more clever hackers thought of numbers between the syllables. So then came the advice to do “leet” like p@$$w0rd!". Many of these “rules” came about because for some benighted reason sites & systems were resistant to passwords longer than a handful of characters. So there was more and more effort devoted to cramming more and more unguessability into rather few keystrokes using ever more “clever” stupid human tricks.
Then we got a little smarter, at least in the corporate world, where one of the risks is not an outside hacker, but somebody else in the cube farm with you who would look for your cheat sheet taped to the bottom of your keyboard. That led to a different arms race to come up with ever more clever ways to add, if not randomness, at least complexity to passwords in a way that was still memorable to humans and would not been to be written down". Hence the “to be or not to be” → “tbontb” trick. etc., back and forth for a few years.
“Correct horse battery staple” is more of the same a few years later, but at least has the genuine advantage that the best way to defeat rainbows and random guessing specifically is pure password length. Which longer length most non-ancient systems now can readily accommodate. That method scales best, or said another way, you get more unguessability by the enemy computer more easily for the human to generate and remember by adding length than you do by adding funky “leet” characters.
As others have said, that’s all the battles of 15 years ago. Each of us now has access to dozens to hundreds of distinct websites & systems. Each of which is exposed to the wild internet with all the roving bands of vandals and very professional thieves. Ideally each of us will use a different password on each of our sites, so we each have dozens to hundreds of passwords. It’s implausible for anyone but savants to create them all well and remember them all well.
So arguing about the best way to generate and remember one quality password is silly/obsolete. It’s time for us all to be embracing a method for generating and remembering lots and lots of quality passwords. Being a different problem it has a different solution. It’s long past time to delegate all that random creation and perfect remembering to machines; that’s what they’re good at, unlike us.
Get and use a password manager. Mine has 300+ computer-generated long and strong passwords in it. Everything else we’re talking about here is either retelling war stories from 10-30 years ago or is preaching (ineffectually) to the laziest and least security-motivated people: the ones still using “Pass1word!” for (almost) all their various online accounts here in 2022.
The common fear is, what happens when your password manager gets hacked? I have no idea how warranted this fear is, but it does seem like having all your eggs in one basket.
